United Kingdom
Education Giant Pearson hit by cyberattack exposing customer data
- Pearson, a UK based education company and one of the world’s largest providers of academic publishing and assessments to schools, universities and individuals in over 70 countries, suffered a cyberattack.
- The organisation has taken steps to stop the attack, investigate it and deploy additional security measures, including enhancing security monitoring and authentication.
- Pearson confirmed that the unauthorised actor largely gained access to legacy data, and that did not include employee information.
- This comes after threat actors allegedly compromised Pearson’s developer environment in January of this year through an exposed GitLab Personal Access Token which contained further hardcore credentials and authentication codes for cloud platforms like AWS, Snowflake, allowing the actor to steal terabytes of data. For this reason, it is critical to secure “.git/config” files by preventing public access and to avoid embedding credentials in remote URLs.
Bedford Borough Council changes public data after breach, but won’t report to ICO
- Bedford Borough Council published an April 2021 procurement file that mistakenly included full names of 3 individuals linked to payments for storage services. After being contacted by the Local Democracy Reporting Service (LDRS), the council temporarily remove the entries without noting the omission, then republished the file with the names redacted.
- The council said that it is reviewing its records to ensure appropriate data publication and affirmed its commitment to transparency. Despite the data breach, it decided not to report the incident to the Information Commissioner’s Office (ICO), asserting that the breach did not meet the reporting threshold as only names (first and last, or initial and last) were exposed, without further sensitive information.
- This move received some criticism as under GDPR articles 33 and 34, revealing full names without encryption or masking constitutes a high risk do individuals’ rights and freedoms.
- While the ICO does not comment on individual cases, it reiterated that not all breaches require mandatory reporting. However, it expects organisations to carry out thorough risk assessments.
United States
FTC Delays Enforcement of ‘Click-to-Cancel’ Subscription Rule to July 14
- The Federal Trade Commission (FTC) has delayed enforcement of the “click-to-cancel” rule by 60 days, pushing the date to July 14.
- The rule, formally known as ‘the Negative Options Rule’, would require companies to offer subscription cancellations to be through the same method as sign-ups, whether that is through the website, mobile app or any other digital interface.
- The rule also mandates that cancellation terms be disclosed before payment is collected, to improve transparency and reduce friction for consumers.
- The rule was initially supposed to come into effect on January 19 but was delayed to May 14, which has now been pushed an additional 60 days to July 14. The reason highlighted by the Commission was to give organisations the required time to comply with the complex requirements of this regulation.
Europe
European Data Protection Supervisor issues new guidance on EU privacy policies
- The European Data Protection Supervisor has published new guidance for EU co-legislators, i.e., the Commission, Parliament and Council, to guide them on how to design legislative acts involving personal data processing whilst respecting the fundamental rights guaranteed by the European legal system.
- The guidance seeks to emphasise the importance for legislative measures to be clear, precise, and foreseeable, to ensure protection against abuse and misuse of personal information.
- Overall, the guidance calls for greater rigour and transparency in outlining the purposes and limits of personal data processing, that is, establishing who collects the data, for what purposes, the legal basis, duration and safeguards for data subjects.
- The aim of this guidance is to ensure that any legislation is compatible with the EU Charter of Fundamental Rights.
EU commissioner lays out suite of AI governance, consumer protection goals
- Commissioner of Democracy, Justice the Rule of Law and Consumer Protection, Michael McGrath plans on introducing a new Digital Fairness Act focused on ensuring the rules for using AI solutions in business and consumer situations are clear.
- This Act will include burden reduction and simplification measures, such as reducing information requirements in repetitive transactions like in-app purchases.
- The rationale for these measures stems from pressure on the EU from within and outside the continent to loosen some of its digital rules. This has led to revamping the GDPR to create simpler rules, especially for SMEs, such changes to the record-keeping obligation.
- The commissioner also promised to introduce a digital strategy for the justice system, to provide guidance on how to use AI to streamline processes while protecting rights and making the process transparent.
International
South Korea fines China’s Temu for user data violations
- South Korea has fined Temu nearly US$1 million for transferring Korean’s users’ personal data to China and other countries without disclosing it in the privacy policy.
- According to the country’s Personal Information Protection Commission (PIPC) Temu outsources and stores users’ data with companies in several countries, including China, Singapore, Japan as well as South Korea.
- In addition to the lack of transparency in the processing of personal data, the PIPC also stated that Temu has failed to supervise those overseas companies on data protection compliances as it did not properly inspect the handling of the personal information. Furthermore, Temu does not have a local representative even though it is required under South Korea’s Personal Information Protection Act (PIPA) given that 2.9 million users on an average use Temu daily in South Korea.
- Moreover, Temu also has a complicated seven step account deletion process, making it difficult for users to exercise their rights under PIPA.
- Temu’s spokesperson has assured that they will cooperate with the investigation and has already started to make improvements such that its processing activities align with PIPA.
- India’s draft Digital Personal Data Protection Rules (DPDPA), 2024, released in early 2025 for stakeholder consultation is a step towards the implementation of the DPDPA 2023.
- This Act has been inspired by the EU’s GDPR and as such promotes the same data protection principles such as, purpose limitation, data minimisation etc., and maintains Consent as the primary legal ground for processing personal data.
- The main difference between the two is that the Indian DPDPA applies exclusively to digital personal data and not offline data. Moreover, unlike the EU GDPR, DPDPA does not permit broader grounds for lawful basis for processing personal data such as legitimate interest and contractual necessity. Finally, the DPDPA only applies to entities offering goods and services within India, whereas the EU GDPR applies to any entity processing EU residents’ data.
- In terms of cross-border transfers, the EU GDPR allows this with certain safeguards like adequacy decisions or standard contractual clauses however, the Indian DPDPA has blacklisted transfers to certain jurisdictions.
- Moreover, to protect individuals’ rights, especially minors, the DPDPA has set the minimum age for consent to 18, unlike 16 under the EU GDPR. Furthermore, while both frameworks provide for the ‘right to be forgotten’ the DPDPA has a much narrower understanding and enforcement of the same.
